1101600 - Crash at a weird memory address

Status: RESOLVED DUPLICATE of bug 1101576

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Random chosen test: js/src/jit-test/tests/basic/strings.js
function strings()
{
  var a = [], b = -1;
  var s = "abcdefghij", s2 = "a";
  for (var i = 0; i < 10; i++) {
    a[i] = (s.substring(i, i+1) + s[i] + String.fromCharCode(s2.charCodeAt(0) + i)).concat(i) + i;
  }
}
assertEq(strings(), "aaa00,bbb11,ccc22,ddd33,eee44,fff55,ggg66,hhh77,iii88,jjj991019100");

crashes js debug shell on m-c changeset d0d8c407efb5 with --fuzzing-safe --ion-eager --no-threads --ion-regalloc=backtracking at a weird memory address 0x0000000101fc6b71.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/d0d8c407efb5/js/src/jit-test/tests/basic/strings.js

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141118063028" and the hash "4f1382061059".
The "bad" changeset has the timestamp "20141118065627" and the hash "34859490061a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4f1382061059&tochange=34859490061a

(Setting s-s and sec-critical because a weird memory address 0x0000000101fc6b71 seems to be involved.)

Hannes, is bug 1052839 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Process 32698 stopped
* thread #1: tid = 0x14e82a, 0x0000000101ec6b71, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x63)
    frame #0: 0x0000000101ec6b71
-> 0x101ec6b71:  testl  $0x3f, (%rdi)
   0x101ec6b77:  je     0x101ec7962
   0x101ec6b7d:  testl  $0x4, (%rdi)
   0x101ec6b83:  jne    0x101ec6b92
(lldb) bt
* thread #1: tid = 0x14e82a, 0x0000000101ec6b71, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x63)
  * frame #0: 0x0000000101ec6b71
(lldb) dis -p
-> 0x101ec6b71:  testl  $0x3f, (%rdi)
   0x101ec6b77:  je     0x101ec7962
   0x101ec6b7d:  testl  $0x4, (%rdi)
   0x101ec6b83:  jne    0x101ec6b92
(lldb) register read $rdi
     rdi = 0x0000000000000063
(lldb)


Hmmm, wait, it might be accessing 0x0000000000000063 instead (near-null?), but I'll wait for someone to dispute.

Comment 2

[Hannes Verschore [:h4writer]]

I couldn't reproduce this one :(.
But I have high hopes it is solved by: https://hg.mozilla.org/integration/mozilla-inbound/rev/43aceb996c3b . Can you confirm?

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Hannes Verschore [:h4writer] from comment #2)
> Can you confirm?

Yes, you're right.

=== Tinderbox Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20141119163007" and the hash "2d8d27914945".
The "good" changeset has the timestamp "20141119165203" and the hash "43aceb996c3b".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2d8d27914945&tochange=43aceb996c3b

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Which means the likely fix is bug 1101576.

Comment 5

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6ce1b906c690).